Attendees beware: A Black Hat in the sun can scorch your brain

Some lab rats recently made the trek to temperate Las Vegas
(temperate, that is, if you leave your thermostat set at 106 degrees)
to attend the Black Hat Briefings (BHB) and DefCon 6. For those who
don't know, Black Hat is to DefCon what a debutante ball is to a frat
party: Think security-aware vs. security-crazy.

At BHB, $1,000 got us two days of sober presentations at the
respectable (by Las Vegas standards) Caesar's Palace on the strip.
Speakers included Marcus Ranum, president and CEO of Network Flight
Recorder, and Dr. Mudge, chief financial officer at the Cult of the
Dead Cow. Topics ranged from Windows NT vulnerabilities to holes in
cellular encryption.

We enjoyed the conference, especially the "meet the enemy" and "meet
the fed" sessions. At the latter, we found out how the federal
government and military surprisingly have a lot in common with the
private sector when it comes to security concerns.

And our long ears perked up when, at the mention of "eligible
receiver," those in the shadows started whispering. We learned that
eligible receiver is the government's method of testing itself.
Officials have assembled a tiger team and are checking the
vulnerabilities of every government agency (see http://www.infowar.com/civil_de/civil_022698b.html-ssi).

In other BHB news, we were happy to bump into friends from Ernst &
Young, who were keeping their skills sharp at the show. We recently
enrolled in their excellent "Extreme Hacking" security program and
highly recommend it. (See "E&Y teaches the fine art of hacking at your site," July 27.)

Letting it loose

DefCon was a different animal than BHB, more of a party animal. Now in
it's sixth year, DefCon always makes us feel like we're in high school
again, surrounded by leather-clad longhairs who are a sharp contrast to
the business casuals at BHB. Of course, with an admission fee of $40,
we didn't expect anything more or less.

After saying farewell to the BHB's swank venue, we shuffled from the
strip to the downtown Plaza Hotel (supposedly the location of Biff's
Pleasure Palace in Back to the Future II). On the floor, we stuffed our goody bags to overflowing with underground books, copies of 2600 magazine, and CDs of OpenBSD. While listening to a cranium-cracking house beat, we watched a networked "capture the flag" session.

At the packed presentations, we found out how easy it is to break
through dead bolts, and listened to a legal expert tell us what stupid
things not to do when stopped by the law. During one of the
entertaining "spot the fed" events, we learned that our friends in
Redmond may be encroaching on the AS/400 farms that support the
casinos. We only saw photographs, but it seems as if one of the MGM
Grand's jumbotrons was recently hacked, displaying an enormous Blue
Screen of Death and hex dump for hundreds of gamblers to puzzle over.

After performing every true Trekker's duty by genuflecting at the
stations of "Star Trek: The Experience," we left Sin City. Our only
regret: We wish we had picked up one of the Geiger counters on sale at
DefCon. It could have been helpful in our plans to turn an abandoned
missile silo in the Nevada desert into the perfect remote lab.

This week's Loose Cables was written by ex-Test Center rat Victor
R. Garza, Security Watch columnists Stuart McClure and Joel Scambray
contributed. Are you a business casual or a longhair? Let us know at loose_cables@infoworld.com.